New OpenWrt install, no luck to forward external tcp/443 to internal tcp/443

rdelangh · February 28, 2019, 12:08am

hi all gurus,

I just installed my very first OpenWRT image version 18.06.1 on a raspberry pi 2, which I want to act as my firewall between LAN and WAN.
The raspberry is connected to a modem/router of my ISP. The interface on that ISP router has 192.168.0.1/24, the (wan) interface "eth1" of my raspberry is statically set on 192.168.0.10/24

The raspberry's LAN interface "br-lan" is defined on physical interface "eth0", and is statically set on 10.50.0.3/24, which is is part of my LAN (10.50.0.0/24)

Via the web interface "Luci" I added first the possibility to connect from my LAN to the web, via the tab "Traffic rules", which results in the following section in "/etc/config/firewall" :

config rule
        option target 'ACCEPT'
        option src 'lan'
        option family 'ipv4'
        option name 'Allow-all-outgoing'
        option dest '*'

This works fine (= we can browse the web as expected).

Now I have an internal web server on LAN address 10.50.0.14, listening on tcp/80 and tcp/443. I can access this webserver on each port from the internal LAN, just to check.
To reach this webserver also from the web, I want to add forwarding to those 2 ports. Via the LUCI web interface in the tab "Port forwards" I added those forwards, which result in the following sections in "/etc/config/firewall" :

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '10.50.0.14'
        option name 'web'
        option src_dip '192.168.0.10'
        option src_dport '80'
        option dest_port '80'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '10.50.0.14'
        option dest_port '443'
        option name 'webs'
        option src_dip '192.168.0.10'

This doesn't work, a check if the port is open from https://canyouseeme.org/ on each port shows that they are not open ("connection refused"). When I run "tcpdump" on the raspberry 'external' interface "eth1", I see the packets entering for both tcp/80 and tcp/443, so the ISP router is not blocking anything. When I run "tcpdump" on its 'internal' interface "eth0", I do not see those packets entering my LAN.

What is missing ? I don't find any article on the web describing the need for any other config just for his port forwarding...

Output of "uci show firewall":

# uci show firewall
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-IPSec-ESP'
firewall.@rule[0].src='wan'
firewall.@rule[0].dest='lan'
firewall.@rule[0].proto='esp'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-ISAKMP'
firewall.@rule[1].src='wan'
firewall.@rule[1].dest='lan'
firewall.@rule[1].dest_port='500'
firewall.@rule[1].proto='udp'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].src='lan'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].name='Allow-all-outgoing'
firewall.@rule[2].dest='*'
firewall.@rule[3]=rule
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].src='lan'
firewall.@rule[3].name='Allow-all-out-PING'
firewall.@rule[3].proto='icmp'
firewall.@rule[3].icmp_type='echo-request'
firewall.@rule[3].dest='*'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].masq='1'
firewall.@zone[1].network=' '
firewall.@zone[1].input='REJECT'
firewall.@zone[1].forward='REJECT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='lan'
firewall.@forwarding[0].src='wan'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].dest_ip='10.50.0.14'
firewall.@redirect[0].name='web'
firewall.@redirect[0].src_dip='192.168.0.10'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].dest_port='80'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src_dport='443'
firewall.@redirect[1].dest_ip='10.50.0.14'
firewall.@redirect[1].dest_port='443'
firewall.@redirect[1].name='webs'
firewall.@redirect[1].src_dip='192.168.0.10'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='lan'

jeff · February 28, 2019, 12:14am

Wouldn't the source IP and port need to be wildcarded if you want "any" outside host to be able to reach your server?

NNN.NNN.NNN.NNN:MMMM => ip_of_openwrt_wan:443

gets NAT-ed to

NNN.NNN.NNN.NNN:MMMM => ip_of_server:443

(as well as configuring your ISP-supplied device to NAT its external_ip:443 to ip_of_openwrt_wan:443)

Edit: You may want to use ports on your OpenWrt box other than 80 and 443, if you're using LuCI.

rdelangh · February 28, 2019, 12:23am

@jeff :
as my ISP router is doing NAT of traffic that is directed to its external IP address (= the address I specify in the port-checking site) into the 'internal' IP address of my raspberry pi router (=192.168.0.10), the traffic that I see arriving on my router's external interface has indeed the destination IP = 192.168.0.10, and port tcp/80 resp tcp/443.
The small info text in LUCI under the box "External IP address" says

Only match incoming traffic directed at the given IP address.

So I specified 192.168.0.10 in that box "External IP address", and that's what you see in the resulting redirect sections.

-> did I misunderstand the meaning of this address box in LUCI ? I can leave the IP empty of course, since all incoming traffic is anyhow directed to my raspberry router anyhow.

jeff · February 28, 2019, 12:26am

That is my error in understanding of UCI syntax, not yours, after reading https://openwrt.org/docs/guide-user/firewall/firewall_configuration#redirects

vgaetera · February 28, 2019, 1:27am

uci show network
ip a; ip r; ip ru; iptables-save

Sometimes access from LAN is not the same as access outside of LAN, e.g. Windows firewall.
You should run tcpdump on the destination host to make sure.

You don't need it, unless you messed interfaces/networks/zones binding.

Those are redundant in your case.

rdelangh · February 28, 2019, 6:56pm

@vgaetera : thanks for your replies!

The webserver is running on UNIX, not Windows. No firewall on that host is blocking packets. I have indeed already used "tcpdump" on that webserver to confirm that no such packets are arriving on its interfaces.

You say that I don't need this "config rule" block in the /etc/config/firewall, but that config has been generated from my settings in the LUCI web interface in its tab "Port forwards".
Do you mean that I shall not configure the port forwarding in that particular tab of LUCI ? What is then the correct part of the LUCI web interface to configure port forwarding ?

You write also that the "source_dip" and "dest_port" parts of that "config rule" block are redundant. What exactly do you mean with that, since also these lines (just like the entire config file) have been generated from the LUCI web interface as per my port forwardings.
I am not 100% sure about necessity to specify the "source_dip", but in any case the "dest_port" looks essential to me to state explicitly to which internal (= on my webserver) destination port the forwarding of the original (= as what arrived from the web onto my firewall) destination port must be done. Or am I missing something in the definitions of the fill-in boxes of the LUCI web interface?

uci show network:

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd91:aec4:7bce::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='10.50.0.3'
network.lan.netmask='255.255.255.0'
network.lan.dns='10.50.0.28'
network.WAN=interface
network.WAN.ifname='eth1'
network.WAN.proto='static'
network.WAN.ipaddr='192.168.0.10'
network.WAN.netmask='255.255.255.0'
network.WAN.gateway='192.168.0.1'
network.WAN.broadcast='192.168.0.255'

ip a :

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether b8:27:eb:61:57:77 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 58:d5:6e:3e:19:b5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.10/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::5ad5:6eff:fe3e:19b5/64 scope link
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether b8:27:eb:61:57:77 brd ff:ff:ff:ff:ff:ff
    inet 10.50.0.3/24 brd 10.50.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::ba27:ebff:fe61:5777/64 scope link
       valid_lft forever preferred_lft forever

ip r :

default via 192.168.0.1 dev eth1
10.50.0.0/24 dev br-lan scope link  src 10.50.0.3
192.168.0.0/24 dev eth1 scope link  src 192.168.0.10

ip ru :

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

iptables-save :

# Generated by iptables-save v1.6.2 on Thu Feb 28 18:55:42 2019
*nat
:PREROUTING ACCEPT [63034:22094061]
:INPUT ACCEPT [2881:471422]
:OUTPUT ACCEPT [53:3999]
:POSTROUTING ACCEPT [5:351]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 10.50.0.0/24 -d 10.50.0.14/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: web (reflection)" -j SNAT --to-source 10.50.0.3
-A zone_lan_postrouting -s 10.50.0.0/24 -d 10.50.0.14/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: webs (reflection)" -j SNAT --to-source 10.50.0.3
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 10.50.0.0/24 -d 192.168.0.10/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: web (reflection)" -j DNAT --to-destination 10.50.0.14:80
-A zone_lan_prerouting -s 10.50.0.0/24 -d 192.168.0.10/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: webs (reflection)" -j DNAT --to-destination 10.50.0.14:443
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -d 192.168.0.10/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: web" -j DNAT --to-destination 10.50.0.14:80
-A zone_wan_prerouting -d 192.168.0.10/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: webs" -j DNAT --to-destination 10.50.0.14:443
COMMIT
# Completed on Thu Feb 28 18:55:42 2019
# Generated by iptables-save v1.6.2 on Thu Feb 28 18:55:42 2019
*mangle
:PREROUTING ACCEPT [27895068:18456194704]
:INPUT ACCEPT [282696:28911080]
:FORWARD ACCEPT [27479825:18388144463]
:OUTPUT ACCEPT [279876:27588003]
:POSTROUTING ACCEPT [27759701:18415732466]
COMMIT
# Completed on Thu Feb 28 18:55:42 2019
# Generated by iptables-save v1.6.2 on Thu Feb 28 18:55:42 2019
*filter
:INPUT ACCEPT [2888:179628]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [63:4308]
:forwarding_lan_rule - [0:0]
:forwarding_log_chain - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A forwarding_log_chain -p tcp -m tcp --dport 80:443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j LOG --log-prefix "HTTP-SYN:"
-A forwarding_log_chain -p tcp -m tcp --dport 80:443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j LOG --log-prefix "HTTP-ACK-FIN:"
-A forwarding_log_chain -p tcp -m tcp --dport 80:443 -j LOG --log-prefix "HTTP-DPRT-ALL:"
-A forwarding_rule -j forwarding_log_chain
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -p tcp -m comment --comment "!fw3: Allow-all-outgoing" -j ACCEPT
-A zone_lan_forward -p udp -m comment --comment "!fw3: Allow-all-outgoing" -j ACCEPT
-A zone_lan_forward -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-all-out-PING" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Thu Feb 28 18:55:42 2019

vgaetera · February 28, 2019, 7:26pm

I mean you don't need Allow-all-outgoing, because there's already forwarding to do the same:

I've just noticed, this one is alarming, better remove it:

Change network name to lowercase:

That should be the root cause of all your problems.

mk24 · February 28, 2019, 8:09pm

Yes in my beginner days I was bitten by that as well. Luci is the only place that shows network names in uppercase, even though internally they are lowercase. It needs to stop doing that.

Hegabo · February 28, 2019, 10:30pm

Good to know. The opposite would be weird enough!

rdelangh · March 1, 2019, 7:04pm

hi @vgaetera, many thanks for spotting the case-change of the "WAN" interface versus what LUCI was assuming to be the name of that interface (=lowercase "wan").

I made the change in /etc/config/network ("WAN" -> "wan"), rebooted the box, and now my port forwarding from an external source to my internal webserver is working !

My worries remain however about your remark that the /etc/config/firewall contains this:

config forwarding
        option dest 'wan'
        option src 'lan'

I have no clue what part of the LUCI web interface makes that this part of the config gets added in the file.

iptables-save :

# Generated by iptables-save v1.6.2 on Fri Mar  1 19:04:04 2019
*nat
:PREROUTING ACCEPT [633:144380]
:INPUT ACCEPT [18:5295]
:OUTPUT ACCEPT [52:3891]
:POSTROUTING ACCEPT [8:547]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: web" -j DNAT --to-destination 10.50.0.14:80
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: webs" -j DNAT --to-destination 10.50.0.14:443
COMMIT
# Completed on Fri Mar  1 19:04:04 2019
# Generated by iptables-save v1.6.2 on Fri Mar  1 19:04:04 2019
*mangle
:PREROUTING ACCEPT [18997:7131692]
:INPUT ACCEPT [404:43854]
:FORWARD ACCEPT [18246:6964884]
:OUTPUT ACCEPT [315:104461]
:POSTROUTING ACCEPT [18561:7069345]
COMMIT
# Completed on Fri Mar  1 19:04:04 2019
# Generated by iptables-save v1.6.2 on Fri Mar  1 19:04:04 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [45:3384]
:forwarding_lan_rule - [0:0]
:forwarding_log_chain - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -m comment --comment "!fw3" -j reject
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A forwarding_log_chain -p tcp -m tcp --dport 80:443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j LOG --log-prefix "HTTP-SYN:"
-A forwarding_log_chain -p tcp -m tcp --dport 80:443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j LOG --log-prefix "HTTP-ACK-FIN:"
-A forwarding_log_chain -p tcp -m tcp --dport 80:443 -j LOG --log-prefix "HTTP-DPRT-ALL:"
-A forwarding_rule -j forwarding_log_chain
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -p tcp -m comment --comment "!fw3: Allow-all-outgoing" -j ACCEPT
-A zone_lan_forward -p udp -m comment --comment "!fw3: Allow-all-outgoing" -j ACCEPT
-A zone_lan_forward -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-all-out-PING" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -d 10.50.0.30/32 -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -d 10.50.0.30/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Fri Mar  1 19:04:04 2019

vgaetera · March 1, 2019, 7:34pm

Your iptables-save output is still missing rules for interface eth1, which should be assigned to network wan.

uci show network; uci show firewall

rdelangh · March 1, 2019, 8:13pm

uci show network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd91:aec4:7bce::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='10.50.0.3'
network.lan.netmask='255.255.255.0'
network.lan.dns='10.50.0.28'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='static'
network.wan.ipaddr='192.168.0.10'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.0.1'
network.wan.broadcast='192.168.0.255'

uci show firewall

firewall.@rule[0]=rule
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].src='lan'
firewall.@rule[0].name='Allow-all-outgoing'
firewall.@rule[0].dest='*'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-IPSec-ESP'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='esp'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].dest='lan'
firewall.@rule[1].dest_ip='10.50.0.30'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-ISAKMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].dest_port='500'
firewall.@rule[2].proto='udp'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].dest='lan'
firewall.@rule[2].dest_ip='10.50.0.30'
firewall.@rule[3]=rule
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].src='lan'
firewall.@rule[3].name='Allow-all-out-PING'
firewall.@rule[3].proto='icmp'
firewall.@rule[3].icmp_type='echo-request'
firewall.@rule[3].dest='*'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].input='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].masq='1'
firewall.@zone[1].network=' '
firewall.@zone[1].input='REJECT'
firewall.@zone[1].forward='REJECT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].dest_ip='10.50.0.14'
firewall.@redirect[0].name='web'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].dest_port='80'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src_dport='443'
firewall.@redirect[1].dest_ip='10.50.0.14'
firewall.@redirect[1].dest_port='443'
firewall.@redirect[1].name='webs'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'

rdelangh · March 1, 2019, 8:18pm

And sorry, but my victory exclamation was too soon, because the connectivity from outside to port tcp/443 is still refused...

vgaetera · March 1, 2019, 8:40pm

uci delete firewall.@zone[1].network
uci add_list firewall.@zone[1].network="wan"
uci commit firewall
service firewall restart

rdelangh · March 1, 2019, 8:47pm

YES YES YES
You're a hero, @vgaetera
What a pitty that this took so much time, a good documentation about how to get this working from the initial installation would have been nice...
Great that someone like @vgaetera knows so much of it.

vgaetera · March 1, 2019, 9:02pm

It's not much, we have a good community here, and many people are ready and qualified to help with those minor and even more serious issues.